This tutorial show you how to hashing passwords in PHP 5.5 with hashing API. There is a large number of web developers using old and less secure algorithm like MD5 and SHA1 encryption etc but those passwords are plain strings. In this new hashing API it uses bcrypt (its a key derivation function for passwords). In this article we are going to explore PHP’s new hashing API.

password_hash() – used to hash the password.password_verify() – used to verify a password against its hash.

password_hash()

PHP

1

2

3

4

<?php

$password="phpgang";

$hash=password_hash($passwod,PASSWORD_DEFAULT);

?>

Hash generated from above code is:

1

$2y$10$vdd/HDckxSzFdOMLZ4Rhh.M3MQeOsPCwcsvAFW3MJWMKdxdv63.

In this function the first parameter is your password and second parameter used to specify the algorithm to hash password.

PASSWORD_DEFAULT – is the bcrypt algorithm (default as of PHP 5.5.0).

If you are using PASSWORD_DEFAULT in your projects, its recommended to create column size must be larger than 60 characters to save hash if you define column to 255 would be good.

Most important is that you don’t have to provide salt (appending or pre-appending is called salt) this API can automatically generate random salt but if you want to give your own salt then there is an options to add it as a third parameter in it.

PHP

1

2

3

4

5

6

7

<?php

$options=[

'salt'=>function_for_salt(),// write your own code to generate a salt

'cost'=>11// allows for you to change the CPU cost of the algorithm

];

echopassword_hash($password,PASSWORD_DEFAULT,$options);

?>

We have generated hashed password with this new API now its time to verify these passwords with password_verify(). This function takes plain password and hashed password which we have saved in database.

password_verify()

PHP

1

2

3

4

5

6

7

8

9

10

11

12

<?php

$passwod="phpgang";

$hash="$2y$10$vdd/HDckxSzFdOMLZ4Rhh.M3MQeOsPCwcsvAFW3MJWMKdxdv63.";

if(password_verify($password,$hash))

{

// Password valid!!

}

else

{

// Invalid password.

}

?>

This way you can verify your passwords and make your websites passwords strong with the latest API. If you are not using PHP 5.5 then there is a library available you can use that library [here] and create passwords in latest encryption.

I am Huzoor Bux from Karachi (Pakistan). I have been working as a PHP Developer from last 5+ years, and its my passion to learn new things and implement them as a practice. Basically I am a PHP developer but now days exploring more in HTML5, CSS and jQuery libraries.

hello
First of all, nice post! My question is: now that we have a specific function for password hash, the best method for verifying if the user is logged in some system is still by using sessions? or there’s a better way on some new 5.5 functions? Thanks in advance!

gurwinder

nice …

Marco Ertl

Hmn. I didnt noticed that there were already a function in php.. I used sha(‘512’, $salt . $password )